Microsoft Teams is “Open For Business”...for Hackers
Your data insecurity is not a flaw, it's by design. The risks of default open federations in MS Teams and how it causes security breaches.
Another day, another depressing tale of wide-open-by-design collaboration software from tech giants, that leads to easy exploitation by hackers. This time, it’s Microsoft Teams opening the door for phishing attackers to send federated Teams server messages to organizations who didn’t have sufficient paranoia to close the biggest open door ever into their internal communications.
How Do I Exploit Thee, Let Me Count the Ways
Big tech products are built on the notion of exploiting customer-generated data. Social media is the classic example of this, where you get to use the product for “free,” but your data is the product–mined and monetized for advertising revenue generation. But the same principle applies to paid subscriptions. This reality pops out regularly in headlines that reveal that MSFT or Slack or some other collaboration tool is allowing itself to mine your data, capture screenshots of your calls and files, etc. Tech giants mine your data for a variety of commercial purposes. Most recently, using customer data to train their AI models has become a priority for big tech. So in other words, you’re paying for being data harvested by big tech. Please enjoy this amazing privilege.
But while those headlines get a lot of attention, there are many smaller but significant product design decisions to leave every possible door and window open by default to facilitate such data theft, I mean, errr…. data monetization.
If these “features” and “configuration defaults” just happen to make your MSFT Teams instance incredibly vulnerable to exploits by hackers, c’est la vie. In fact, there’s a great side benefit. It creates a lot of work for security teams, contractors, and service providers to reverse all the nonsense settings. Sadly, this is positioned as an important necessity, rather than the result of intentional insecurity by design.
IT Calling from the Underworld
The details of this particular exploit were broken to news organizations like bleeping computer and Forbes. Essentially, MSFT leaves Teams federations open by default, meaning that unless you have your IT proactively close down this door, anyone who sets up a server and federates with your Teams can communicate to your team and look like a legitimate internal Teams entity. Just to be clear, this completely undermines the whole point of federation, which is to create secure, secret “channel” or connections so that explicitly permitted, distinct groups of users can communicate securely.
Cue hackers with phishing attacks. Anytime you enable untrusted parties to legitimately pose as a trusted party and invite interaction, hackers can make a mint out of this. From where they sit behind their illicit Teams server federated with your wide open Teams server, attackers can send imposter emails posing as your IT team, and trick employees to hand over their system credentials. A bonus feature is that Teams like most other collaboration suites gives admins god-like access to everything, so if these credential phishing attacks can compromise an IT admin, then hackers can gain the keys to the kingdom. The result is getting featured in another news story like Disney did with its Slack data breach. Read our related blog on how the default admin privilege mode is broken.
Federation is a Massively Wide Gate That Must be Closed by Default
Federation is a hugely powerful entry point. It should be closed by default. Any software tool that has any level of reach into your data or workflows, and that leaves this gate open by default, is absurd.
Collaboration software is as central as it gets in terms of how your organization develops your intellectual property, operates your business, and exchanges your sensitive data. To leave federations open by default for your collaboration suite is from a PoV of security practice, nearly a crime.
Big tech companies will try to shift the blame. They can blame your email filtering systems for not catching malicious emails that are coming from a so-called trusted domain, but that’s unfair. Statistically speaking, even sophisticated filtering only catches about 85% of phishing emails. They could also blame users, but research shows that even if you conduct security training, roughly 10% of your employees will always be susceptible to phishing attacks. They could blame attackers too. But this is all misdirection. To use another analogy, big tech companies leave the barn doors wide open and then try to blame the horses for running out. Nice try.
With Wire, you have to enable Federation. It doesn’t come open and ready for exploitation out of the box.
But it doesn’t end there. There’s a difference between a mature approach to managing federation and an unserious approach. The mature approach is that you don’t just open everything at once and create a free-for-all like some unserious, so-called “secure messaging” products do. With Wire, you actually manage Federation actively, which means that you need to select which users can federate. That’s how enterprise-class security management of collaboration software is done. We implemented federation this way because we believe it’s our responsibility to provide software that keeps your data protected, private, and compliance.
Your Data Insecurity is Not a Flaw. It’s Not a Bug. It’s by Design
Jen Easterly, the head of the Cybersecurity and Infrastructure Security Agency, pegged the core issue at the 2024 Black Hat conference. It’s worth re-reading even if you’ve already seen this.
“We don’t have a cybersecurity problem. We have a software quality problem. We have a multi-billion dollar cybersecurity industry because for decades, technology vendors have been allowed to create defective, insecure, flawed software.”
That sounds harsh. But the truth is that is still a generous reading of what we’re looking at here.
The way that Teams is setting federation to default open is so obvious that it’s beyond being defective. That would imply that it was an unwitting error or oversight. This is worse. This is indicative of an intentional, insecurity by design approach because technology vendors want your data badly. That’s why they leave as many doors open as possible. What other reason could there be?
So the question is, what can you do about it? Easy. Choose different software.
When it comes to collaboration, Wire offers an enterprise-class platform to build a collaborative, digital workplace that is powerfully secure by default, in a way that is delightfully invisible to users, and highly controllable by IT admins. If you’re tired of putting up with this malfeasance and living with the consequences, it’s time to consider an alternative. Try Wire today for free, sign up for our paid plan or reach out to us to request a meeting and we can show what a truly secure path to a digital workplace looks like.